yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1680289] Re: Keystone logs fernet token when token is invalid

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lance Bragstad <lbragstad@xxxxxxxxx>
Date: Thu, 06 Apr 2017 13:41:55 -0000
Reply-to: Bug 1680289 <1680289@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

As far as I know, that specific case is only for tokens that are invalid
and the cryptography library is unable to decrypt them (the cases where
InvalidToken is raised from decrypt [0].) If a token is considered
invalid from the cryptography library, it's actually not decipherable.
Logging the invalid token/value shouldn't expose anything of value
because there is no payload associated with the token/value.

We handle the expiration case differently, which is checked within
keystone and not the cryptography library. If a token is expired, we
don't log it [1]. Even though the token is expired, the values within
the payload, like user and project IDs, may still be valid. While
keystone won't consider an expired token valid, an attacker could use it
to try and glean information about the user, project, domain, etc.
You're absolutely right in that logging expired tokens would be expose a
vulnerability. In my testing so far, I don't see any logged tokens for
this case. If there are places where we write an actual expired token to
logs, we should re-open this issue.

[0] https://github.com/pyca/cryptography/blob/ef027a69808d045dffc3b4db274d67cea1be9f3a/src/cryptography/fernet.py#L73-L122
[1] https://github.com/openstack/keystone/blob/b4990dcc31fcd1e53c97fff38088fc0d50dd7d3f/keystone/token/provider.py#L213

** Changed in: keystone
Status: New => Invalid

--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1680289

Title:
Keystone logs fernet token when token is invalid

Status in OpenStack Identity (keystone):
Invalid

Bug description:
If an incorrect token is passed for keystone validation (verify token), Keystone logs the token :
https://github.com/openstack/keystone/blob/b4990dcc31fcd1e53c97fff38088fc0d50dd7d3f/keystone/token/providers/fernet/token_formatters.py#L94

As this is either an invalid or expired token and of no use to anyone
, logging this does not pose any vulnerability (unless an expired
fernet token can be used for anything). In any case, it might be
better to not log the entire token .

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1680289/+subscriptions

References

[Bug 1680289] [NEW] Keystone logs fernet token when token is invalid
From: Divya K Konoor, 2017-04-06